From: "Coiner, John" <John.Coiner@amd.com>
To: "git@vger.kernel.org" <git@vger.kernel.org>
Subject: git, monorepos, and access control
Date: Wed, 5 Dec 2018 20:13:16 +0000 [thread overview]
Message-ID: <939efd87-b2af-29d7-efdd-9cf8f6de9d10@amd.com> (raw)
Hi,
I'm an engineer with AMD. I'm looking at whether we could switch our
internal version control to a monorepo, possibly one based on git and
VFSForGit.
One obstacle to moving AMD to git/VFSForGit is the lack of access
control support in git. AMD has a lot of data whose distribution must be
limited. Sometimes it's a legal requirement, eg. CPU core designs are
covered by US export control laws and not all employees may see them.
Sometimes it's a contractual obligation, as when a third party shares
data with us and we agree only to share this data with certain
employees. Any hypothetical AMD monorepo should be able to securely deny
read access in certain subtrees to users without required permissions.
Has anyone looked at adding access control to git, at a per-directory
granularity? Is this a feature that the git community would possibly
welcome?
Here's my rough thinking about how it might work:
- an administrator can designate that a tree object requires zero or
more named privileges to read
- when a mortal user attempts to retrieve the tree object, a hook
allows the server to check if the user has a given privilege. The hook
can query an arbitrary user/group data base, LDAP or whatever. The
details of this check are mostly in the hook; git only knows about
abstract named privileges.
- if the user has permission, everything goes as normal.
- if the user lacks permission, they get a DeniedTree object which
might carry some metadata about what permissions would be needed to see
more. The DeniedTree lacks the real tree's entries. (TBD, how do we
render a denied tree in the workspace? An un-writable directory
containing only a GITDENIED file with some user friendly error message?)
- hashes are secret. If the hashes from a protected tree leak, the
data also leaks. No check on the server prevents it from handing out
contents for correctly-guessed hashes.
- mortal users shouldn't be able to alter permissions. Of course,
mortal users will often modify tree objects that carry permissions. So
the server should enforce that a user isn't pushing updates that alter
permissions on the same logical directory.
I would welcome your feedback on whether this idea makes technical
sense, and whether the feature could ever be a fit for git.
You might ask what alternatives we are looking at. At our scale, we'd
really want a version control system that implements a virtual
filesystem. That already limits us to ClearCase, VFSForGit, and maybe
Vesta among public ones. Am I missing any? We would also want one that
permits branching enormous numbers of files without creating enormous
amounts of data in the repo -- git gets that right, and perforce (our
status quo) does not. That's how I got onto the idea of adding read
authorization to git.
Thanks,
John
next reply other threads:[~2018-12-05 20:13 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-05 20:13 Coiner, John [this message]
2018-12-05 20:34 ` git, monorepos, and access control Ævar Arnfjörð Bjarmason
2018-12-05 20:43 ` Derrick Stolee
2018-12-05 20:58 ` Duy Nguyen
2018-12-05 21:12 ` Ævar Arnfjörð Bjarmason
2018-12-05 23:42 ` Coiner, John
2018-12-06 7:23 ` Jeff King
2018-12-05 21:01 ` Jeff King
2018-12-06 0:23 ` brian m. carlson
2018-12-06 1:08 ` Junio C Hamano
2018-12-06 7:20 ` Jeff King
2018-12-06 9:17 ` Ævar Arnfjörð Bjarmason
2018-12-06 9:30 ` Jeff King
2018-12-06 20:08 ` Johannes Schindelin
2018-12-06 22:15 ` Stefan Beller
2018-12-06 22:59 ` Coiner, John
2018-12-05 22:37 ` Ævar Arnfjörð Bjarmason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=939efd87-b2af-29d7-efdd-9cf8f6de9d10@amd.com \
--to=john.coiner@amd.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).